How Data Retention Makes Us Less Secure

from the security-is-contextual dept

We've already discussed how Congress appears to be moving forward with a nasty data retention bill disguised as an anti-child porn bill. There are all sorts of problems with the bill, including the likelihood that it will be massively abused by the government (which is why bill opponent Rep. Zoe Lofgren offered an amendment to rename the bill from the misleading Protecting Children from Internet Pornographers Act to the more accurate "Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act of 2011"). Julian Sanchez, (who's suggested bill renaming is "Forcing Your Internet Provider to Spy On You Just In Case You're a Criminal Act of 2011") separately highlights another issue: how much less secure this will make data.

While most people, who are worried about this law, are reasonably concerned about how the government will spy on your data, an equally problematic issue is that this will make all of our data less secure. If you're wondering how merely retaining data can make it less secure, Sanchez explains how context matters in security, and if you increase the value of the payload, even without changing the absolute security, you've decreased actual security, by making yourself a bigger target:

If I started storing big piles of gold bullion and precious gems in my home, my previously highly secure apartment would suddenly become laughably insecure, without my changing my security measures at all. If a company significantly increases the amount of sensitive or valuable information stored in its systems — because, for example, a government mandate requires them to keep more extensive logs — then the returns to a single successful intrusion (as measured by the amount of data that can be exfiltrated before the breach is detected and sealed) increase as well. The costs of data retention need to be measured not just in terms of terabytes, or man hours spend reconfiguring routers. The cost of detecting and repelling a higher volume of more sophisticated attacks has to be counted as well.

One very simple security measure a company can practice, then, is to simply avoid retaining enough data to attract the interest of the most skilled professionals (or, alternatively, those willing to hire out botnets to aid their attacks). Because the adequacy of a security system is always a function of the payoff of breach to the attacker, then, privacy is an important component of security, as well as a value worth respecting for its own sake.

This is a point that I fear many involved in this debate are totally ignoring.

and they will keep continuing to ignore it until it's too late, the security is breached, and massive amounts of data are pilfered. And their response will be - no not shame, but arrogance - and more laws to punish the evil doers who now pose a more serious threat to everyone thanks to the government's actions. No matter what happens, the government wins, and the people lose.

Re:

You hit a tangential nail on the head. The world's servers process 10ZB of data every year. Now, not all of that is web traffic but even if it does account for an appreciable percentage of that I can easily see a time when we as a society begin drowning in our own useless knowledge. By useless knowledge I mean the fact that I visited a certain site at a certain time with a certain browser, not the knowledge of the fact that Hippopotomonstrosesquippedaliophobia is the fear of long words.

One of the ways to avoid issues is to create data retention systems that are not online systems. That is to say that the systems are unidirectional (you can write, but cannot read), and make the systems themselves not part of the actual accessible network.

Encrypt everything, use the old aes256, and make it unaccessible. Make the only way that you can read the data to be going on site, using a non-networked computer, etc. Archive it to non-active materials (tape, discs, whatever) and take it offline on a daily basis.

The biggest issue is data the is retained and kept online. You can retain data with minimal risks, but you have to take the right steps.

Re:

What you are proposing is indeed quite secure - but at the price of a greatly increased the cost of access for "legitimate" users. That is always the trade-off with security and your idea does nothing to get around it.

Do you really think that your "write only memory" would be acceptable to those who want access to the data?

Re: Re:

Those who want to access the data would do it through non-networked systems (on site) or by physically transporting the archived data to a viewing site. This isn't data that would be looked at every day, would it?

The costs? Not really much higher, it only requires some attention to detail to get it done right.

Not so compelling

I don't find this argument as compelling as others - the data could always be stored offline (not that the law requires this, but still). I think it's dangerous to start piling on more and more arguments after someone like Rep Lofgren has already presented real problems stemming from the law.

Every argument that can be dismissed as "well, we can do X to fix that" weakens the overall objection to the law.

Security by obscurity

The answer here is to have a job running on your IP address which dilutes all your real data with junk data, thus making data mining useless. That is, while you surf the internet, you have a data job running in the background which randomly crawls Google and makes random search engine requests. Then fetch the random page. This will effectively fill up the ISP logs and make finding your true web page visits effectively impossible to determine. Of course this is a complete waste of resources, but this is what it's coming to in order to have any sort of privacy.

Re: Security by obscurity

You're plan would work absolute wonders in keeping a marketer from knowing anything about you for certain (though that's not necessarily the case).

However, it could and eventually would most likely backfire in keeping law enforcement from finding something to hit you with, whether it be child porn (unlikely unless you're randomly crawling some really seedy places), copyright infringement, or even significant number of visits to extremist groups. Perhaps they'll even hit you with a CFAA charge a la a ToS violation.

If they want to hit you with something, anything they find will be used against you. In fact, claiming in court that you set up a system will probably not win you many friends on the jury that will be told "if the defendant didn't have anything to hide, why did he go so far to cover it up?"

No, the answer is to abort this bill before it becomes law. Letting it pass and then trying to obfuscate your data is not the answer.

Re: Security by obscurity

I've made the same point repeatedly; here's the latest version

(This was in response to Violet Blue's column on the topic.)

Everything you said is true. But it's worse than that: they're building
a target. Or, rather, many targets. Let me explain.

Personal information has value: to advertisers, to marketers, to spammers,
to phishers, to actual real live pedophiles, to disgruntled ex-boyfriends,
to insurance companies, to extortionists, to all kinds of people.

And let me pause to interject: it's no comfort at all to hear that
it's "not personally identifiable". As recent research has shown us,
pointedly, when enough disparate data sources are combined, that becomes
wishful thinking.

So there are people who have uses for this data...and are willing to pay
for it. Therefore there WILL be a market for it, just like there are
markets for everything else illicit on the 'net, e.g., custom spamming
software.

And since there will be a market for it, there will be buyers...and
sellers.

Some of the sellers will be crooked ISPs who are willing to sell their
own users out to anyone with cash-in-hand. (My bet: Comcast and
Verizon will fall all over themselves to do this.) But some of them
will be ISP employees, who will have access to it and will be more than
happy to exchange a USB stick or ten, stuffed with compressed log files,
for an envelope of tax-free income.

Then there will be a secondary market: crafty people who are willing
to buy data from a few dozen sources and combine, correlate, reduce,
filter, enhance it -- and then sell that composite product. (If I have
the logs that indicate what DNS queries you've run, then I can make
good guesses at what web sites you visit...or perhaps have logins on...
your email provider, your social network, your IM accounts, etc. I can
then search those, one at a time or via Google. The more I know about
you, the more I *can* know.) And of course these same crafty people
know all about credit cards -- so they'll be able to produce individual
dossiers that make it very easy to perform competent identity theft.

And since (putatively) we're talking about pedophiles here: think of
the possibilities for them.

This idiotic bill puts ISPs in the position of building targets:
big stationary highly attractive targets that everyone will *know*
they have.

And let me interject once again: there's no reason at all to be reassured
by ANYONE'S claim that they'll be kept "securely". LulzSec/AntiSec have
been pulling the shorts of one government security contractor after
another over their heads for months, and they're not even trying hard.
Determined adversaries will go right through whatever inept "security"
is put in place around this.

So here's what'll happen: the information will be collected. Some of
it will be collected incorrectly, people will get doors kicked down
because a network monitoring script mangled an IP address. Some of
it will be sold by ISPs, some by ISP employees. Insurance companies
will cancel policies, abused wives will be stalked by crazy ex-husbands,
pedophiles will select targets, etc. Big chunks of data will be bought
and sold at places like the Russian Business Network (which, by the way,
is not as gone as people wish it were). The end result will be a privacy
and security nightmare for everyone...and it will increase, not decrease,
the risks to the children that it supposedly protects.

Oh, and the politicians responsible will pat themselves on the back
and take credit for it. And when it all goes wrong...they will use
that time-honored phrase of spokesliars everywhere:
"...and nobody could have foreseen..."

For a long time I have been successful in not worrying about identity theft nor funds theft. This has been possible by lack of providing info either on the net or on the computer. That data can not be lifted from your computer without it being there. It is a sure fire method to prevent that data from getting out. Simply if it is not there to be found, it can't be gotten.

What I have no control over is someone else storing data on me from compiled sources. Putting them into data storage sections for anyone to find is not my idea of security.

Hackers hack into banks and credit card data for a reason. Because it is usually there in large numbers. It's the big target complete with painted bullseye.

This is the typical government solution when government gets involved. The result is more expense for the owner of the net account to pay for the people and equipment this will take to comply and at the same time, more targets for opportunity awaiting those eager to get hands on data that shouldn't be there.

Apparently no one has learned anything about the cell phone hacking done by World News nor the Murdoc corporations.

Retaining Data makes us vulnerable to hacking and theft

I'm in favor of data volatility, ISP's would erase data after a short period and keep us safer from identity theft and hacking. Data retention would only make each of us vulnerable to unauthorized viewing. Why not make the punishment for pedophilia more unsavory instead? Eunuchization of pedophiles and sex offenders would be appropriate IMHO, just a little surgery and the problem is addressed permanently?

We already have this sh*t in Europe

Meanwhile we have had data retention in Europe for many years already. Officially introduced to "fight terrorism and child porn". I still have to see a report on how many acts of terror this system has prevented, or how many pedophiles it caught. I am willing to bet the answer is something close to zero in both cases.

I also heard from someone who worked at my ISP, that it was pretty easy to look into the logs. Apparently they are not treated as highly sensitive information.

Re: The amount of data equals to the attractiveness of intruders

This is the same argument that I made when discussing the security considerations in cloud computing.

Putting everything hackers need into one place seems a bit too convenient for them.

That is not how the cloud is supposed to work. That is just a centralised computer system right out of the 1960's. Unfortunately big corporations have hijacked and distorted the "cloud" idea and are trying to use it as an instrument of control.

Bonfire?

Keep the info on paper tape and punch cards, and refuse to offer assistance sifting through the data when the government comes calling. Then, every three months or so after expiry has been reached, have a big ol' bonfire for the community. Hot dogs, hamburgers, balloons for the kids, maybe an origami contest...

Doing this to us is bullshit.As much as I do not want to see it if it goes thru I hope a group hacks their damn spying database and releases it on TPB.the would be a big fuck you to the 1984 government who has no right to do this spying bs on us citizens.